South Korean financial firms have risk management problems

Managing software rather than hardware is the problem

비즈체크 승인 2024.04.25 15:15 | 최종 수정 2024.04.25 17:15 의견 0

I vividly remember my winter semester at U Penn in January 1986. Probably because I did a double take.

I was taking Econometrics with Professor Lawrence Klein, winner of the 1980 Nobel Prize in Economics, and I was surprised to find out that he was not very good at teaching. I was very excited to learn from a Nobel Prize winner, but I was also very disappointed.

Of course, I was largely to blame for my inability to follow the lecture, but Professor Klein, a great researcher, was not a good teacher. I was impressed by the student engagement of Professor Jan Kmenta, who taught statistics at the University of Michigan, but I was disappointed by the disorganization of Professor Klein's lecture.

I looked up the date of the Space Shuttle Challenger explosion on the Internet and found that it was January 28, 1986. There was no internet back then, so I don't know what happened right away, but I remember that the whole country was in disarray, including the classroom at U Penn.

I'm not sure, but I think Prof. Klein mentioned it in one of his lectures, and it was just as traumatic. The Challenger exploded less than a minute after launch due to a temperature drop that caused a gap in the O-ring at the joint of the Space Shuttle's propellant rockets. At a technical committee meeting the day before launch, engineers who raised the possibility of an accident were overruled by leadership and a reckless launch was pushed through.

It was all the more surprising when I later learned that the decision-making system at NASA, which was at the cutting edge of technology and the world's greatest collective intelligence organization at the time, was by no means rational, transparent, or rigid.

Great researchers are not necessarily great teachers. Just because Tiger Woods is a great golfer doesn't mean he's a great teacher.

Great hardware is not the same as great software. In any endeavor, a great process and great results are more likely when hardware and software work well together.

This is especially true for business risk management systems. The sophistication of risk management systems in the financial sector, where risk management is even more critical than in other industries, is staggering.

Over the past 50 years, the sophisication of financial risk management has evolved to a point where it's almost beyond the reach of the average person, and the regulatory system for the financial industry has evolved to include Basel III and Solvency II.

Nevertheless, the horrors of the global financial crisis seem to be all around us, with one major financial disaster after another erupting around the world. What's the problem and what should we do?

In addition to traditional hardware-oriented risk management, we now need to pay more attention to software-oriented risk management.

There are certain risk management blind spots that cannot be covered by numbers and quantitative analysis alone. Opacity or irrationality in decision-making systems is a prime example.

In any organisation, poor decision-making processes, such as a rigid hierarchical decision-making system, can lead to poor outcomes.

The financial sector's sophisticated risk management system and tightly intertwined authorities' regulations can also cause problems if the governance of financial firms and regulators is poor. This year's ELS scandal in the banking sector and the out-of-print marketing scandal in insurance companies are examples.

For financial institutions to be successful in ESG management, a GRC (Governance + Risk Management + Compliance) strategy that combines hardware and software risk management is essential.

GRC is a function that enables an organisation to set the direction of development and operation in line with business goals, operate the organisation transparently based on trust among employees, make decisions democratically and rationally, manage all risks faced by the organisation effectively and efficiently, and meet compliance with laws and regulations and internal control.

In January 2014, credit card companies personal information leak broke out. In January 2014, 100 million personal information cards managed by Kookmin Card, Nonghyup Card, and Lotte Card were leaked, a major breach that is hard to find in the world.

It was a ridiculous incident in which a person in charge of a credit rating agency's counterfeit detection system, who was on secondment to a credit card company, leaked the personal information of the card company's customers on a USB.

At that time, the security risk management in our society and financial companies was so weak, and the control system to filter it was also insufficient within financial companies and regulators.

It is fortunate that ERM for enterprise-wide risk management was introduced to financial companies in earnest after this incident, and the protection of personal information in our society was strengthened.

The problem is that since then, financial accidents, both large and small, have occurred, and it has become a matter of how well the system is operated. If the cows are lost and the barns are not properly repaired, financial progress can only be a lip service.

By Donghan Chang, Risk Management Journalist (Professor Emeritus, Konkuk University)

Kim So-young, vice chairman of the Financial Services Commission, attends the fourth meeting of the ESG Finance Task Force at the Korea Financial Investment Association in Yeongdeungpo-gu, Seoul, on 22 March to discuss the main contents of the draft disclosure of domestic ESG disclosure standards. [Courtesy of the Financial Services Commission/Yonhap]

저작권자 ⓒ 비즈체크, 무단 전재 및 재배포 금지